From patchwork Mon Apr  5 11:09:39 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anton Khirnov <anton@khirnov.net>
X-Patchwork-Id: 26748
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 26E1C44B015
	for <patchwork@ffaux-bg.ffmpeg.org>; Mon,  5 Apr 2021 14:11:53 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 11DDE68A516;
	Mon,  5 Apr 2021 14:11:53 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail0.khirnov.net (red.khirnov.net [176.97.15.12])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0E2AD68A32E
 for <ffmpeg-devel@ffmpeg.org>; Mon,  5 Apr 2021 14:11:45 +0300 (EEST)
Received: from localhost (localhost [IPv6:::1])
 by mail0.khirnov.net (Postfix) with ESMTP id 804A02405C5
 for <ffmpeg-devel@ffmpeg.org>; Mon,  5 Apr 2021 13:11:44 +0200 (CEST)
Received: from mail0.khirnov.net ([IPv6:::1])
 by localhost (mail0.khirnov.net [IPv6:::1]) (amavisd-new, port 10024)
 with ESMTP id FGiOaEWTX4zr for <ffmpeg-devel@ffmpeg.org>;
 Mon,  5 Apr 2021 13:11:44 +0200 (CEST)
Received: from libav.khirnov.net (unknown
 [IPv6:2a00:c500:561:201:b6e1:23d0:924a:11c0])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "libav.khirnov.net",
 Issuer "smtp.khirnov.net SMTP CA" (verified OK))
 by mail0.khirnov.net (Postfix) with ESMTPS id B52BD24068A
 for <ffmpeg-devel@ffmpeg.org>; Mon,  5 Apr 2021 13:11:41 +0200 (CEST)
Received: by libav.khirnov.net (Postfix, from userid 1000)
 id 72C283A0609; Mon,  5 Apr 2021 13:11:39 +0200 (CEST)
From: Anton Khirnov <anton@khirnov.net>
To: ffmpeg-devel@ffmpeg.org
Date: Mon,  5 Apr 2021 13:09:39 +0200
Message-Id: <20210405110952.17679-3-anton@khirnov.net>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210405110952.17679-1-anton@khirnov.net>
References: <20210405110952.17679-1-anton@khirnov.net>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 02/17] lavf/matroskaenc: fix avio_printf
	argument types after bump
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Field precision supplied with the '*' specification must be an int.

Also, make sure converting those fields to int does not overflow.
---
 libavformat/matroskaenc.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index bbf231f2a4..609a588f78 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -2143,7 +2143,7 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac
     mkv_track *track = &mkv->tracks[pkt->stream_index];
     ebml_master blockgroup;
     buffer_size_t id_size, settings_size;
-    int size;
+    int size, id_size_int, settings_size_int;
     const char *id, *settings;
     int64_t ts = track->write_dts ? pkt->dts : pkt->pts;
     const int flags = 0;
@@ -2156,6 +2156,10 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac
                                        &settings_size);
     settings = settings ? settings : "";
 
+    if (id_size > INT_MAX - 2 || settings_size > INT_MAX - id_size - 2 ||
+        pkt->size > INT_MAX - settings_size - id_size - 2)
+        return AVERROR(EINVAL);
+
     size = id_size + 1 + settings_size + 1 + pkt->size;
 
     /* The following string is identical to the one in mkv_write_block so that
@@ -2175,7 +2179,10 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, const AVPac
     put_ebml_num(pb, track->track_num, track->track_num_size);
     avio_wb16(pb, ts - mkv->cluster_pts);
     avio_w8(pb, flags);
-    avio_printf(pb, "%.*s\n%.*s\n%.*s", id_size, id, settings_size, settings, pkt->size, pkt->data);
+
+    id_size_int       = id_size;
+    settings_size_int = settings_size;
+    avio_printf(pb, "%.*s\n%.*s\n%.*s", id_size_int, id, settings_size_int, settings, pkt->size, pkt->data);
 
     put_ebml_uint(pb, MATROSKA_ID_BLOCKDURATION, pkt->duration);
     end_ebml_master(pb, blockgroup);
@@ -2352,6 +2359,8 @@ static int mkv_write_packet_internal(AVFormatContext *s, const AVPacket *pkt)
     } else {
         if (par->codec_id == AV_CODEC_ID_WEBVTT) {
             duration = mkv_write_vtt_blocks(s, pb, pkt);
+            if (duration < 0)
+                return duration;
         } else {
             ebml_master blockgroup = start_ebml_master(pb, MATROSKA_ID_BLOCKGROUP,
                                                        mkv_blockgroup_size(pkt->size,